From c42e859215155b292435b2fcc921098a0b93de9d Mon Sep 17 00:00:00 2001
From: Mauricio Siu <siumauricio@icloud.com>
Date: Mon, 8 Dec 2025 00:05:55 -0600
Subject: [PATCH] feat(organization): add user membership verification for
 organization queries

- Implemented a check to verify if the user is a member of the organization before allowing access to organization data.
- Added error handling to return a FORBIDDEN response if the user is not a member.
---
 apps/dokploy/server/api/routers/organization.ts | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/apps/dokploy/server/api/routers/organization.ts b/apps/dokploy/server/api/routers/organization.ts
index e6301eb51..7cffab9f9 100644
--- a/apps/dokploy/server/api/routers/organization.ts
+++ b/apps/dokploy/server/api/routers/organization.ts
@@ -80,7 +80,22 @@ export const organizationRouter = createTRPCRouter({
 				organizationId: z.string(),
 			}),
 		)
-		.query(async ({ input }) => {
+		.query(async ({ ctx, input }) => {
+			// Verify user is a member of this organization
+			const userMember = await db.query.member.findFirst({
+				where: and(
+					eq(member.organizationId, input.organizationId),
+					eq(member.userId, ctx.user.id),
+				),
+			});
+
+			if (!userMember) {
+				throw new TRPCError({
+					code: "FORBIDDEN",
+					message: "You are not a member of this organization",
+				});
+			}
+
 			return await db.query.organization.findFirst({
 				where: eq(organization.id, input.organizationId),
 			});